FERPA and Email Communication: The Role of Email Archiving in Education

There are very few sectors today that can get away without adhering to email compliance legislation, and education is not one of them.

Federal rules and data protection legislation mandate that school districts, universities and most educational agencies archive email and other communications as part of their data compliance duties. This is to cover the organization if the authorities ever require any records. If the institutions cannot produce the records, they could be subject to fines and penalties.

Here are some of the top reasons why email archiving needs to be a priority in the education sector.

Email Archiving Can Help Reduce Legal Costs

In reality, school districts are not completely clueless. On the contrary, most stakeholders are aware of the potential for legal issues to arise. A recent poll found that 65% of K-12 school principals fear that their decisions might be legally challenged. Nearly the same percentage (55%) think the threat of legal challenges is on the rise.

An increase in legal costs would be crippling for a lot of school districts, as they already foot huge legal bills and get limited federal funding. For instance, the Los Angeles Unified School District alone spent over $183 million on lawsuits over a four-year period. And before the pandemic hit, 2020 seemed to be the year when court cases threatened to shift the K-12 landscape.

Email Archiving Streamlines Ediscovery for K-12 Schools

In schools, internal teacher-to-teacher communication is mostly conducted via email, and so is communication with parents and students. Email archiving ensures these records are safe and accessible. Access is the key issue here. Within the discovery process, schools are required to disclose electronic information early in the proceedings.

But the need for early disclosure isn’t the only requirement when it comes to email records. Another one is the form email evidence takes – it is vital that electronic evidence be provided in its original form since any changes raise the potential for accusations of evidence tampering.

Email archiving prevents this in several ways:

• It ensures that all records are not only stored safely and searchable, but that they can be located and retrieved quickly
• It makes sure the original message or thread is stored in its native, WORM format, that it is time and date stamped and that it can’t be altered or deleted

We know that educational institutions, just like any other organization, increasingly rely on digital communication technologies for their day-to-day operation.

From the compliance perspective, running a school is like running a business. Any breach of regulations can have serious consequences for the educational institution, including fines, penalties and reputation damage.

When it comes to enterprise data archiving and compliance, things seem to get even more complicated for K-12 schools, universities and other educational institutions. That’s largely because the line between using email, social media and instant messaging in and out of the classroom is blurrier than ever.

The education industry is different from other regulated industries as there are several relations in the equation.

Students are using email and social media to communicate to each other on school grounds. And so are teachers. Both groups are now using instant messaging apps to communicate among themselves and with each other. Teachers contact parents and administrative staff on social media, by texting or even on the phone. It’s messy and it’s compliance-failure heaven.

Research shows that almost 90% of daily communication in school districts relies on email as the main communication channel, closely followed by unsecured instant messages.

When we know that only 20% of social media and mobile content ever gets retained (but contains a bunch of evidence and sensitive information), our compliance worries get even more real.

To assist educational institutions with regulatory compliance, we compiled a Compliance Checklist for the Education Industry in the US (although any school can benefit) that you can download for free.

The Complexity of K-12 Email Compliance

Organizations in regulated industries need to follow strict compliance laws and regulations which govern how and where they should store their digital information.

However, unlike other highly regulated industries, schools can fall under a number of different categories.

But the story doesn’t end there. Schools, colleges and universities were the first organizations to fully and enthusiastically embrace the BYOD trend despite the numerous concerns regarding the security of these devices.

What follows is a list of the relevant regulations that govern retention, storage and accessibility of all digital communications in the education industry:

1. The Freedom of Information Act (FOIA) and State Sunshine Laws

According to FOIA, public schools, colleges, universities and other government agencies must make available all records, including those in the electronic format (email, chat apps, social media). Sunshine Laws are state-specific laws that are very similar to FOIA and that govern the deadlines for the school to produce the requested information.

Similar laws have been enacted worldwide. In Canada, for instance, there’s the Freedom of Information Protection and Privacy Act (FIPPA). As schools inevitably collect a lot of personal and health information, this law makes them responsible for “ensuring compliance with all access to information and protection of privacy requirements”. Schools are required to keep complete student files and grades for 10 and 30 years, respectively.

Related: How Jatheon Helped MCSD Improve Compliance and FOIA Response with Email Archiving

2. Family Education Rights and Privacy Act (FERPA)

This federal law governs the access to educational information and records and may apply to electronic communication. FERPA gives parents access to their children’s education records. After the student reaches the age of 18, their consent is mandatory before their education records can be accessed, inspected and reviewed. FERPA is applicable to all public K-12 school districts and all post-secondary institutions.

Related: Check your school’s FERPA Compliance status in under 10 minutes

3. The Health Insurance Portability and Accountability Act (HIPAA)

Although HIPAA regulates the way healthcare workers handle protected health information and medical records, we now have medicare on school campuses. Schools often provide services such as counseling, vaccination or administration of prescription drugs. This means that schools which possess sensitive health information must ensure full compliance with HIPAA.

4. Gramm-Leach Bliley (GLBA)

GLBA is the federal act which regulates the security and privacy of personal financial information, so many educators believe that it is limited solely to financial institutions.

However, if a school issues loans to students or personnel or provides financial counseling to donors, it may be considered a financial institution. The process is much more straightforward in higher education, as colleges and universities regularly engage in lending and providing financial advisory services.

When it comes to K-12 schools, it is necessary to conduct assessment to evaluate whether their activities fall under GLBA. Still, all schools are required to make sure that their students’ financial aid records and all other sensitive information are kept secure and confidential.

FERPA and Email Communication: What You Need to Know

FERPA protects students’ educational records and allows students (and their parents) the right to correct faulty records. It applies to all educational institutions which receive federal funding and gives students the rights to:

• view, review and request changes to their educational records in case they are inaccurate, misleading or in violation of students’ privacy
• request that their personally identifiable information not be disclosed without written permission
• submit a formal complaint to the US Department of Education if there is suspicion that the institution did not comply with the FERPA requirements

Examples of educational records include SSN, biographical information (including gender, nationality, race, religion and photos), test scores, GPA, exam papers, email conversations or any other recorded communications.

Electronic data archiving is important for FERPA because compliance managers will be able to track what information they have on a particular student, how well it is protected and who has access to it.

In case an educational institution is faced with charges on FERPA violations, their email archive would be their first line of defense and could save a lot of labor hours, time and money typically spent on legal counsel.

How to Ensure FERPA Compliance for Email Communication

1. Conduct an Assessment

The first step towards full compliance is to conduct an assessment and check which specific regulations apply to you. This first stage is the most demanding and time-consuming, but it’s worth the effort. Don’t hesitate to hire a legal expert to decipher the laws and regulations for you.

2. Create Records Retention Policies (and stick to them)

Make sure you have rock-solid policies and procedures. Train and educate your staff to make sure they understand your compliance and information governance programs, as well as the risks and severe consequences of non-compliance. Then have them educate the students.

Provide strict guidelines and enforce the policy. Define what’s acceptable on your official email and social media channels and assign a compliance officer to monitor and control how technology is used on school grounds.

3. Conduct Internal Audits

Regular internal audits will help you identify areas of risk and allow you to take steps to neutralize or minimize this risk before it becomes a real threat. Coordinate your various departments to improve your information governance strategy and learn to always be prepared for litigation.

4. Get a Dedicated Email and Social Media Archiving Solution

No compliance program is complete without technology. Managing electronic information can be demanding, especially when you deal with somebody’s entire education history and thousands of student records. Secure, long-term data storage and easy data availability is mandatory for both compliance and legal use cases.

The main purpose of email and social media archiving solutions is to automate compliance, data management and ediscovery of electronic communications. They can be on-premise systems or cloud-based software that capture, store and allow you to search your entire electronic communications from a single interface.

Once captured, your email, attachments, social media, text messages or chat exchanges are indexed, made searchable and stored in a WORM format for however long you need them (typically 7 years in order to be compliant with all relevant regulations). You can specify different retention windows based on the relevant regulations, user roles or departments, after which the data is automatically deleted to limit liability.

Archiving solutions are also used to detect and prevent cyber bullying or improper employee relationships. This can be done by specifying keywords and then searching conversations for the given keywords or getting proactive alerts if a specific word gets used.

Summary: What and When to Archive?

The general rule of thumb is that all email and official social media accounts have to be archived. But does this include spam mail and any personal email?

Email filtering software should be able to filter out spam, and it’s a good idea to encourage employees to use personal email and social media accounts when dealing with personal communications.

With those out of the equation, your compliance and IT teams should treat all other email communications as relevant business records. Remember that daily backups won’t make the cut and won’t satisfy federal requirements. This is because an email can be sent and then deleted during the day before a nightly backup is completed, which would lead to incomplete records and be in breach of federal requirements.

For this reason precisely, the most comprehensive and tested way of ensuring email compliance is automated data archiving.